Talk Talk Hack

Unfortunately the above is my ISP so it's very likely my personal details have been compromised.

My question is how was this possible? Shouldn't any sensitive data on the database been encrypted? Such as bank details and credit card numbers.

Find more posts tagged with

Comments

J_86

tmcg wrote: »

My question is how was this possible? Shouldn't any sensitive data on the database been encrypted? Such as bank details and credit card numbers.

Why companies don't encrypted certain things, how they were compromised, what they could of done to prevented the hack; they are all questions everyone of us starts to ask when hacks like this happen.
From the limited info I have seen, it sounds like they were not employing some best practices when it comes to security and that is how the data was compromised. Too soon to tell really, since this is all new at the moment.

lsud00d

Looks like DDoS to divert attention, then SQLi to pilfer customer info db's, which apparently might have been stored in plain-text

One particular file suggests that when some users changed their password via the TalkTalk website, the new value was stored in plaintext -- meaning it may not have been secured in any way. TalkTalk admits on its website that "not all of the data was encrypted," and that appears to cover sensitive data like passwords and possibly even credit card and bank details.

http://www.engadget.com/2015/10/23/talktalk-hack-explainer/

The law is lagging behind technology, as always. Nothing will change until it's codified into law that those responsible for negligent security practices will be held financially responsible for all losses, AND penalized in criminal court. It is criminally insane to store user data but do little to nothing to protect it. If you do not have a budget for IT Security in 2015, gtfo of business, or pay fines and/or go to jail.

paul78

tmcg wrote: »

My question is how was this possible? Shouldn't any sensitive data on the database been encrypted? Such as bank details and credit card numbers.

I'm sorry to hear that your data may have been breached as part of the TalkTalk incident. The reality is that most organizations have weaknesses and if those weaknesses are discovered, it's only a matter of time before bad actors exploit the vulnerabilities.

From what I have read about this breach, it sounds like the attack vector may have been SQL injection. So it's likely that a weakness in the TalkTalk web portal was the issue. Controls like firewalls, storage encryption, may not have prevented the attack. This is really a case where strong secure software development controls could have helped. Perhaps even a good application IDS may have seen the reconnaissance that likely occurred.

Unfortunately, many IT professionals who do not come from a software engineering background fail to recognize application vulnerabilities. And similarly, web developers with weak software engineering backgrounds may lack formal secure development training. The combination of those 2 skillset weaknesses can result in disastrous consequences for an organization.

BTW - assuming that TalkTalk must be PCI compliant - they are required to encrypt the credit card PAN so if credit card numbers were breached it's probably a poor software implementation.

There are also reports that passwords were breached in clear-text. That is inexcusable and simply goes to show that software developers did not understand the basics of authentication. No one stores passwords - good credential management systems would use tokens or hashes.

the_Grinch

The system is setup to allow this to happen. Some simple fines, a few people fired, and paying for credit monitoring is often looked at as cheaper then proper security. The chances of the laws changing or further regulation being put in place are slim. As far as making failure to follow best practices a criminal act, yeah that won't happen. Stupidity is never going to be considered criminally negligent. Criminal negligence by definition is the gross deviation of what an ordinary person would do. Thus what would the ordinary person in the same position as the person who is responsible for the negligent act. Given how often we are hearing about these things it is going to be very tough to make that case stick. Add to that, how do you determine the person solely responsible for it? Is it the person who wrote the system, implemented the system, maintained the system, approved the system, or the person who signed the check to purchase the system? Finally, that would then all need to be proved beyond a reasonable doubt to a jury of 12 people who might lack the technical understanding required for the case.

Cases like this are unfortunate and for lack of a better word suck. But they are more the norm then anything else and the system adapts as best it can. It is really on the consumer to stop doing business with these companies once they discover that they are not keeping their information secure. That sends a message to the industry that the consumer will not tolerate this and when it happens be ready to close up shop.

636-555-3226

According to Wikipedia Talk Talk was founded in 2003. They spent a ton of money and infrastructure upgrades over the years based on a foundation created 12 years ago. Do you know the state of cybersecurity in 2003? Everything was plain-text, and at best your password may have been MD5 hashed. Until they get burned, the "business" side of the business never justifies the extreme expense (money and manpower) of redoing everything to bring it up to modern security standards. That's why they (and you) got burned. This **may** be enough for them to bring it up to modern standards, but maybe not.....

dustervoice

Sorry to hear that your personal details have been compromised but from what ive seen this is industry problem not just a talk talk issue. Ive work for companies that don't even have a firewall. My first day on the job i was given a network diagram i notice there were no firewalls listed I then asked the IT manager why the company hadn''t deployed any firewall technology he stated " Firewall slows down traffic, we make money by the second here any latency we are losing money" I almost fainted. Ive seen in banking mobile app that https wasnt implemented. i asked the developers about this they claim "Https isnt in the standard written back in 2001. we are coders and we do what we are told and developing the app with https goes against the standard". This is just a few examples but ive seen worse so im not surprise that talktalk database was encrypted and they got popped!

cyberguypr

More insight into this:

- https://nakedsecurity.sophos.com/2015/10/27/talktalk-breach-ceo-dismisses-encryption-15-year-old-arrested

- https://paul.reviews/value-security-avoid-talktalk/

As to why they were not encrypting:

Harding also said in an interview that TalkTalk did not encrypt customer financial information but was "not legally required" to do so - because the UK's 1998 Data Protection Act does not explicitly require encryption.

The norm seems to be "let's do whatever the minimum required is and we'll deal with the consequences later".

thenjduke

Wow if this crap when down where i work I know there be alot of issues. We encrypt everything from internal traffic all the way to the laptop that are given to use. Yes firewalls, encryption, and IDS are annoying but in the long run your better off. I even encrypt my dam cell phone and laptop and that is my personal stuff.

paul78

thenjduke wrote: »

We encrypt everything from internal traffic all the way to the laptop that are given to use. Yes firewalls, encryption, and IDS are annoying but in the long run your better off. I even encrypt my dam cell phone and laptop and that is my personal stuff.

From what I've read about the breach so far - the vulnerability existed in an application that was susceptible to a SQL injection attack. Unfortunately, none of the controls that you mentioned would have prevented the TalkTalk breach except perhaps a database firewall or IDS that was could detect anomalous SQL however even a database firewall is no panacea since you could then be susceptible to a DOS attack. And most IDS's are not necessarily able to detect application logic flow sufficiently to isolate an attack from normal application traffic.

@cyberguypr - this link claims that a Qualsys scan can detect PCI compliance. That's actually not accurate. PCI-DSS is a lot more comprehensive. For example, if credit cards and credentials were tokenized instead - the data stolen may have been useless to the hackers.

If the TalkTalk breach turns out to be a SQL injection attack on an application, I hope that secure SDLC practices become a lot more prevalent.

I think too often non-technology people think that encryption is the cure-all but it's a bit more complicated than that